package com.cntaiping.fsc.security.config;

import com.cntaiping.fsc.security.config.TpSecurityProperties;
import com.cntaiping.fsc.security.filter.TpHttpBasicAuthFilter;
import com.cntaiping.fsc.security.filter.TpHttpLogoutFilter;
import com.cntaiping.fsc.security.filter.TpIpAddressFilter;
import com.cntaiping.fsc.security.filter.TpTokenAuthFilter;
import jakarta.servlet.http.HttpServletRequest;
import java.util.ArrayList;
import java.util.List;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.boot.actuate.health.HealthEndpoint;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer;
import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.header.writers.HstsHeaderWriter;
import org.springframework.security.web.savedrequest.CookieRequestCache;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.AnyRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.AntPathMatcher;
import org.springframework.util.PathMatcher;
import org.springframework.util.StringUtils;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;

@EnableConfigurationProperties({SecurityProperties.class, TpSecurityProperties.class})
@Configuration
@ConditionalOnClass({EnableWebSecurity.class, AuthenticationEntryPoint.class})
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
/* loaded from: input_file:com/cntaiping/fsc/security/config/TpSecurityConfig.class */
public class TpSecurityConfig {
    private static final Logger LOG = LoggerFactory.getLogger(TpSecurityConfig.class);
    protected final TpSecurityProperties tpSecurity;
    private CsrfTokenRepository csrfTokenRepository;

    /* loaded from: input_file:com/cntaiping/fsc/security/config/TpSecurityConfig$GlobalCorsConfigurationSource.class */
    public static class GlobalCorsConfigurationSource implements CorsConfigurationSource {
        private final CorsConfiguration config;

        public GlobalCorsConfigurationSource(CorsConfiguration corsConfiguration) {
            this.config = corsConfiguration;
        }

        public CorsConfiguration getCorsConfiguration(HttpServletRequest httpServletRequest) {
            return this.config;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/cntaiping/fsc/security/config/TpSecurityConfig$IgnoredPathRequestMatcher.class */
    public class IgnoredPathRequestMatcher implements RequestMatcher {
        private List<String> ignored;
        private volatile RequestMatcher delegate;

        public IgnoredPathRequestMatcher(TpSecurityProperties tpSecurityProperties) {
            this.ignored = getIgnored(tpSecurityProperties);
            initMatchers();
        }

        public boolean matches(HttpServletRequest httpServletRequest) {
            return !this.delegate.matches(httpServletRequest);
        }

        private List<String> getIgnored(TpSecurityProperties tpSecurityProperties) {
            ArrayList arrayList = new ArrayList(tpSecurityProperties.getIgnored());
            if (arrayList.isEmpty()) {
                arrayList.addAll(TpSecurityProperties.DEFAULT_IGNORED);
            } else if (arrayList.contains("none")) {
                arrayList.remove("none");
            }
            return arrayList;
        }

        private void initMatchers() {
            this.delegate = new OrRequestMatcher((List) this.ignored.stream().map(AntPathRequestMatcher::new).collect(Collectors.toList()));
        }
    }

    public TpSecurityConfig(TpSecurityProperties tpSecurityProperties) {
        LOG.info("Init TpSecurityConfig!");
        this.tpSecurity = tpSecurityProperties;
    }

    @ConditionalOnProperty(name = {"app.security.enableTpTokenAuthFilter"}, havingValue = "true", matchIfMissing = true)
    @Bean
    public TpTokenAuthFilter tpTokenAuthFilter(@Qualifier("ignoredPathMatcher") PathMatcher pathMatcher) {
        LOG.info("Init TpSecurityConfig create TpHttpBasicAuthFilter!");
        TpTokenAuthFilter tpTokenAuthFilter = new TpTokenAuthFilter(this.tpSecurity);
        tpTokenAuthFilter.setMatcher(pathMatcher);
        tpTokenAuthFilter.setIgnoredUrls(this.tpSecurity.getIgnored());
        tpTokenAuthFilter.setEnableBasicAuth(this.tpSecurity.isEnableBasicAuthFilter());
        return tpTokenAuthFilter;
    }

    @ConditionalOnProperty(name = {"app.security.enableBasicAuthFilter"}, havingValue = "true", matchIfMissing = false)
    @Bean
    public TpHttpBasicAuthFilter tpHttpBasicAuthFilter(SecurityProperties securityProperties, @Qualifier("ignoredPathMatcher") PathMatcher pathMatcher, CsrfTokenRepository csrfTokenRepository) {
        LOG.info("Init TpSecurityConfig create TpHttpBasicAuthFilter!");
        SecurityProperties.User user = securityProperties.getUser();
        TpHttpBasicAuthFilter tpHttpBasicAuthFilter = new TpHttpBasicAuthFilter(user.getName(), user.getPassword());
        tpHttpBasicAuthFilter.setMatcher(pathMatcher);
        tpHttpBasicAuthFilter.setIgnoredUrls(this.tpSecurity.getIgnored());
        tpHttpBasicAuthFilter.setEnableFormLogin(this.tpSecurity.isEnableFormLogin());
        tpHttpBasicAuthFilter.setCsrfTokenRepository(csrfTokenRepository);
        return tpHttpBasicAuthFilter;
    }

    @ConditionalOnProperty(name = {"app.security.enableHttpLogoutFilter"}, havingValue = "true", matchIfMissing = true)
    @Bean
    public TpHttpLogoutFilter tpHttpLogoutFilter() {
        LOG.info("Init TpSecurityConfig create TpHttpLogoutFilter!");
        return new TpHttpLogoutFilter();
    }

    @ConditionalOnProperty(name = {"app.security.enableIpAddressFilter"}, havingValue = "true", matchIfMissing = true)
    @Bean
    public TpIpAddressFilter tpIpAddressFilter() {
        LOG.info("Init TpSecurityConfig create IpAddressFilter!");
        return new TpIpAddressFilter(this.tpSecurity.getAllowList(), this.tpSecurity.getDenyList());
    }

    @Bean
    public CsrfTokenRepository csrfTokenRepository() {
        LOG.info("Init TpSecurityConfig create CsrfTokenRepository!");
        return CookieCsrfTokenRepository.withHttpOnlyFalse();
    }

    @Bean({"ignoredPathMatcher"})
    public PathMatcher ignoredPathMatcher() {
        LOG.info("Init TpSecurityConfig ignoredPathMatcher.");
        return new AntPathMatcher();
    }

    private HttpSecurity initHttpSecurity(HttpSecurity httpSecurity) throws Exception {
        if (this.tpSecurity.isRequireSsl()) {
            httpSecurity = httpSecurity.requiresChannel(channelRequestMatcherRegistry -> {
                ((ChannelSecurityConfigurer.RequiresChannelUrl) channelRequestMatcherRegistry.anyRequest()).requiresSecure();
            });
        }
        HttpSecurity csrf = this.tpSecurity.isEnableCsrf() ? httpSecurity.csrf(csrfConfigurer -> {
            csrfConfigurer.csrfTokenRepository(this.csrfTokenRepository);
        }) : httpSecurity.csrf((v0) -> {
            v0.disable();
        });
        HttpSecurity cors = !this.tpSecurity.isEnableCors() ? csrf.cors((v0) -> {
            v0.disable();
        }) : csrf.cors(corsConfigurer -> {
            corsConfigurer.configurationSource(new GlobalCorsConfigurationSource(this.tpSecurity.getCors()));
        });
        cors.headers(headersConfigurer -> {
            configureHeaders(headersConfigurer, this.tpSecurity.getHeaders());
        });
        return cors.securityMatcher(new IgnoredPathRequestMatcher(this.tpSecurity));
    }

    private void configureHeaders(HeadersConfigurer<?> headersConfigurer, TpSecurityProperties.Headers headers) {
        if (headers.getHsts() != TpSecurityProperties.Headers.HSTS.NONE) {
            HstsHeaderWriter hstsHeaderWriter = new HstsHeaderWriter(headers.getHsts() == TpSecurityProperties.Headers.HSTS.ALL);
            hstsHeaderWriter.setRequestMatcher(AnyRequestMatcher.INSTANCE);
            headersConfigurer.addHeaderWriter(hstsHeaderWriter);
        }
        if (!headers.isContentType()) {
            headersConfigurer.contentTypeOptions((v0) -> {
                v0.disable();
            });
        }
        if (StringUtils.hasText(headers.getContentSecurityPolicy())) {
            String contentSecurityPolicy = headers.getContentSecurityPolicy();
            if (headers.getContentSecurityPolicyMode() == TpSecurityProperties.Headers.ContentSecurityPolicyMode.DEFAULT) {
                headersConfigurer.contentSecurityPolicy(contentSecurityPolicyConfig -> {
                    contentSecurityPolicyConfig.policyDirectives(contentSecurityPolicy);
                });
            } else {
                headersConfigurer.contentSecurityPolicy(contentSecurityPolicyConfig2 -> {
                    contentSecurityPolicyConfig2.policyDirectives(contentSecurityPolicy);
                    contentSecurityPolicyConfig2.reportOnly();
                });
            }
        }
        if (!headers.isXss()) {
            headersConfigurer.xssProtection((v0) -> {
                v0.disable();
            });
        }
        if (!headers.isCache()) {
            headersConfigurer.cacheControl((v0) -> {
                v0.disable();
            });
        }
        if (headers.isFrame()) {
            headersConfigurer.frameOptions((v0) -> {
                v0.sameOrigin();
            });
        } else {
            headersConfigurer.frameOptions((v0) -> {
                v0.disable();
            });
        }
    }

    @ConditionalOnProperty(value = {"app.security.basic.enabled"}, havingValue = "true", matchIfMissing = true)
    @Bean
    @Order(2147483642)
    public SecurityFilterChain tpSecurityFilterChain(HttpSecurity httpSecurity) throws Exception {
        return (SecurityFilterChain) initHttpSecurity(httpSecurity).build();
    }

    @ConditionalOnProperty(value = {"app.security.basic.enabled"}, havingValue = "true", matchIfMissing = true)
    @Bean
    @Order(2147483641)
    public SecurityFilterChain actuatorSecurityFilterChain(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{EndpointRequest.to(new Class[]{HealthEndpoint.class})})).permitAll();
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{EndpointRequest.toAnyEndpoint()})).authenticated();
        });
        httpSecurity.requestCache(requestCacheConfigurer -> {
            requestCacheConfigurer.requestCache(new CookieRequestCache());
        });
        httpSecurity.httpBasic(Customizer.withDefaults());
        return (SecurityFilterChain) httpSecurity.build();
    }
}
